exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ComLog.pl

ComLog.pl
Posted Aug 16, 2002
Authored by Floydman | Site securit.iquebec.com

ComLog.pl, a WIN32 command prompt logger - The goal of this paper is to present a new Perl tool made to monitor DOS sessions on Windows NT/2K (should also work on XP). This tool can be used by administrators to keep a history of commands typed in the DOS command prompt and the associated output, for example on an IIS server. This can help admins to figure out what an attacker has done after compromising the machine via one of the numerous vulnerabilities available.

tags | perl, vulnerability
systems | windows
SHA-256 | 5bb1270554a58f6c4a654c5606f788b2f62f2ad347bee9a773e47748ee4612d5

ComLog.pl

Change Mirror Download
ComLog.pl, a WIN32 command prompt logger
by Floydman, floydian_99@yahoo.com
August 13th 2002

This paper is available online at www.geocities.com/floydian_99 and
http://securit.iquebec.com

This paper can be freely distributed and reproduced, as long as correct
credentials are maintained, and that no modifications are made to this
file. For corrections, suggestions or comments, please send me an e-mail.

Abstract

The goal of this paper is to present a new Perl tool that I made to monitor
DOS sessions on Windows NT/2K (should also work on XP, but cannot try
it). This tool can be used by administrator to keep a history of commands
typed in the DOS command prompt and the associated output, for example on
an IIS server. This can help admins to figure out what the attacker has
done after compromising the machine via one of the numerous vulnerabilities
this software present. Of course, like any keylogger out there, it can
also be use for malicious purpose, but I think other programs out there
make better spying tools.


Preface

I started writing about my own experiences in the security field after
reading Lance Spitzner's whitepapers, way back before the HoneyNet Project
grew into the multi-disciplinary team that has now joined him and make the
project as we know it today. I also wanted to inspire myself of what was
being done on the UNIX platform (making your own tools when they don't
exists) to transpose it in the Windows world, where I am more
comfortable. This paper follows these traditions, as the idea for it came
to me while reading the HoneyNet Project recent book, Know your ennemy. In
the book, one passage relate to how the HoneyNet is designed to sniff all
the traffic that passes into it since all of this traffic is suspicious by
nature. This worked great for capturing what the attackers were doing on
the systems, up to the day when someone was using cryptcat to hide his
session. To circumvent this problem, the team made a modification in the
source code of bash to log the session and recompiled it for the next
attack. However, the book says, since we can not do the same with
Microsoft code, they didn't bother to make an equivalent solution for
Windows. ComLog fills that gap.

Special thanks to Lance Spitzner for his comments and ideas during the
improvement of the pre-release.

Targeted audience

This document is presented to anyone who has interests in computer
security, honeynets, trojan horse, keyloggers, network administration and
computing in general.

1. Introduction
2. Purpose of the program
3. How it works
4. Things you need to know
5. To Install
6. Conclusion
Appendix A. Source code
Appendix B. Sample session history (console)
Appendix C. Sample session history (history.txt)

1. Introduction

One of the most common ways that Windows machines are hacked is through the
command prompt. This is not surprising, since this is the shell
environment on the Win32 platform, it permits the execution of commands
without the need of a GUI, and is easily accessed by executing one single
file, either command.com on Win 9x/Me, or cmd.exe on Win NT/2K. While this
file in itself is not a problem, the thing is that it can be accessed by
many ways by anyone who can guess where is located this file, and most of
the time, it is always in the same places, because the installations were
made by default. This is how most of IIS exploits work, they rely on a
Unicode encoding or a special format string to fool the server into
accessing files outside of the web directory and make a renamed copy of
cmd.exe (because IIS filters commands sent directly to cmd.exe, thanks
Microsoft for the great security), and then simply issues command to this
copy via a URL in their web browser. Code Red and Nimda were doing that
automatically.

Also, admins may want to keep an eye on what's going on in the DOS prompts
on their users workstations, as the inside threat remains the greatest
concern for computer security. I mean, what could secretaries, accountants
and other office employees be doing in a DOS prompt that is related to
their job? I wouldn't go as far as to remove their access to the command
prompt, besides it may be needed from time to time by support people. But
right now, how can you tell if one of the employees on your network is not
doing a ping scan or is netcating his way to the restricted file server and
making password dumps?

2. Purpose of the program

The purpose of this program is quite simple: improve the forensics
disponibility in case of a break-in in order to better determine the
actions of the attacker. Forensics is a whole ball game in itself in
security. It requires a good understanding of the systems involved, and
experience of attacks usually made helps in focusing on the important
things. Forensics is all about figuring out what has happened on a
computer system (or network) after an intrusion has been done. To do this,
all the information available is crucial: firewall logs, IDS logs (if any),
system logs, volatile information on the systems (what processes are
running in memory, ...), complete bit-by-bit disk image. All of this in
order to try to understand what has happened, but on top of it, one must
make sure not to alter this data by manipulating it, considering that the
attacker may have gone through great efforts to hide his traces.

ComLog will not solve all the problems computer forensics face today. But
it will help greatly in reducing the time necessary to understand the scope
of an attack if the intruder made his attack via the command
prompt. Instead of trying to reverse-engineer the attackers tool or to
look for modified signature files to determine the actions of the attacker,
one will only have to check these logs to determine what commands were
typed by the attacker. By storing centrally the history files of the
command prompts on your network, along with your antivirus log files and
maybe even personal firewall log files (for more details on this, read
"Securing the Microsoft internal network"), you improve your knowledge
about the kind of activity that is going on on your machines. And it gives
you the chance to act wisely before it is too late.

3. How it works

ComLog is a Perl program that sits in front of the command prompt and
emulates it, capturing any data typed in and out before transmitting it to
the real prompt for execution or before displaying the data on the
screen. It could be considered as a wrapper. To do so, the program must
be compiled with perl2exe (available from www.indigostar.com) and renamed
cmd.exe (this is why it doesn't work on Win9x/Me, these OS use command.com,
which allow for smaller files, and I haven't figured how to make a .com
file. Besides, it is used for boot-up. If you can help on this one, send
me an e-mail). The real cmd.exe has to be renamed cm_.exe (or whatever
name you chose, but make sure to change the source code approprietly),
because we still need it to execute the commands asked by the user.

So this way, when a user double-click on the command prompt icon, or run
cmd.exe from the Start menu, or a cracker issues commands to the prompt by
abusing the web server, web browser, database server, mail client, netcat
session, etc., or to a renamed or relocated copy of it, it will be thru
ComLog that these commands will be issued. ComLog makes a timestamp in the
log file (*.clg) between each input and output, allowing the administrator
to know things like at what time each event occured, how much time each
command took to perform, how much time passes between the result of the
last command and the when the next command is issued, etc.

Since ComLog emulates the command prompt, there are certain things we need
to keep track of in order to make the session as transparent as possible to
the user. Such things to keep track of is the current directory and
current drive, and to keep track of this we monitor closely 'cd' command
and changes of drive. 'cls' is also a command that I cannot rely on
cm_.exe to implement, since it returns an empty screen as output, so we
implement that as well. We also have to check if the drive or directory
the user wishes to go to really exists, or else ComLog will contain
erroneous environment data and will stop working properly. This causes a
limitation in the use of the wildcard '*' in directory names (more on that
in the next chapter).

That is about all the checking and emulating that is done, all the rest
that is typep by the user and/or attacker will be sent as is to the real
prompt (cm_.exe), and bad commands will simply produce the expected "The
name specified is not recognized as an internal or external command,
operable program or batch file." error message, as it normally would.

ComLog always start in the . (current) directory. Issuing cd commands with
relative paths will create a relative path chain that will keep track of
the current directory. So after browsing a couple of directories out of
and back in to C:\WINNT\SYSTEM32(cd..; cd..; cd winnt; cd system32), the
path should look like .\..\..\WINNT\SYSTEM32, altough the user will only
perceive his current directory. Issuing a cd command with a path starting
with \ will replace the whole relative path that built over the session
with that absolute path, in order to avoid getting too long and confusing
relative path names in memory. Further relative path browsing will be
appended to this absolute path, until a new absolute path is
entered. Drives and current directories for each drive are kept in a
self-adjusting table. Bad directories and bad drives error messages are
handled by ComLog, and will replace the user's command with something
neutral so not to disturb environment variables. Once these checks are
done, commands are sent in the form of cm_.exe /C currentdrive: && cd
currentdir && usercommand, the && signs are letting us to issue more than
one command on the same line. So this way, the new instance of cm_.exe
(which has its own environment variables) is always kept fresh on where the
user wants to be. cm_.exe terminates after executing the command. This is
why we have to keep track of the environment variables ourselves. The
output is captured, sanitized to hide ComLog's prosence, and then sent to
its log file and displayed on the screen.

In the first, pre-release version of ComLog, log files were stored in a
file called history.txt, that was present in the . (current directory)
along with cmd.exe. I thought that this was good, because ComLog would
produce a log file wherever it is copied to. But this produced two
problems that are now solved with a single solution. First, if two (or
more) instances of the same cmd.exe were running, they were all writing to
the same log files. So issuing an intensive command like dir \ /s on one
instance meant that one command typed in another instance had to wait until
the intensice dir finishes before producing its output. The other thing
was that having a potentially floating location for the log files, it was
hard to keep an eye on it using a tool like LogAgent. This was solved by
storing the log files in \WINNT\Help\Tutor, each instance having a
random-generated filename associated to it, to prevent collision. ComLog
log files have a .clg extension. Take note that if you install ComLog
manually (not using the install pack), you have to create the \Tutor folder
in \WINNT\Help.

4. Things you need to know

ComLog does a pretty good job at pretending to be the real command prompt,
but in fact it has some limitations that can affect or not its actor
performance, depending on the situations. Some limitations are gone since
the pre-release version, but some still remain. First of all, since I
mentionned it earlier, there is a limitation in the use of the * wildcard
in directory names. In normal circumstances, under NT/2K, you can cd to a
directory by supplying only the first few letters followed by a *, which
can be convenient with long path names. The limitation occured when I
implemented the checkdir() function (which I cannot remove, or else ComLog
may be fooled into non-existing directories, and at that point you can kiss
your cover goodbye). I tried doing it with the opendir() function, like I
did with checkdrive(), but it doesn't support wildcards whatsoever (from my
testing, anyway). So I use the same trick as when I send commands, and I
use this to make a IF EXIST on the directory (this is usually used only in
batch files, since there is little use to make an IF statement on a
one-liner, but it works just as well when it is typed in DOS) to validate
its existence. And the IF EXIST command cannot handle more than one layer
of wildcarded directories. For example, in a ComLog session, let's pretend
that I am in the root directory, and I want to move to \Program
Files\Common Files. If I type cd pro* [ENTER], cd com* [ENTER], this will
work just great. But if I type cd pro*\com*, the program will issue a "The
system cannot find the path specified." error message. But under a real NT
command prompt, that line should work.

Another problem is that it cannot handle interactive DOS programs, such as
a regular FTP session or something as simple as date or time (you have to
at least press enter to exit date and time). Since the command prompt
output is captured by ComLog, and that ComLog waits for cm_.exe to
terminate to continue its execution, and that cm_.exe is waiting for some
sort of user input that will not come before quitting, we can see where the
problem lies. Under certain circumstances, this is not so much of a
problem, for example a web server that the command prompt can be abused
with netcat, since netcat won't allow for interactive programs either, so
the attacker behavior will already be adjusted to that limitation (or else
he will face the same results). But on a local prompt, where a user might
want to launch an interactive DOS program (be it a network scanner waiting
for its parameters or a mere DOS game), it will be obvious that something
is not working right. Launching such a program from the GUI should not
pose a problem, but if you must absolutely start a program from a DOS
prompt, remember that you can always do so from cm_.exe.

One other thing is that ComLog will try to hide himself from the view of
the user, by modifying the output when cm_ or ComLog log files shows
up. This will be the case if the user issues a dir or a pslist command to
see what files or running programs are present on the system. This have
the side effect of having a different file count at the end of the dir
commands and the number of files displayed on the sreen (or the user's
dumpfile, as he is likely to do). While this has little chance of being
detected on directories containing a lot of files, in an empty directory,
this might ring a bell to an attacker. Another thing that could give it is
that by hiding the bigger file size for cmd.exe (695 kb once compiled with
perl2exe, compared to 204 kb on NT and 231 kb on 2K), I drop any files that
is the same exact size as ComLog. So, in a directory where you have
cm_.exe (204 kb), cmd.exe(695 kb), and you copy cmd.exe to root.exe and
produce a dir, you will see cmd.exe(204 kb), but no trace of cm_.exe
(that's good) or root.exe (not so good).

Oh!, I almost forgot. If you use ComLog in its Perl format, or if you
compile it and is it called comlog.exe or anything else except cmd.exe, it
will work as advertised. But when you rename cmd.exe to cm_.exe, and
rename ComLog.exe to cmd.exe, ComLog will go on an infinite loop when you
try to execute cmd.exe. This is because the compiled program still need a
shell environment to start into, and that shell is by default...
cmd.exe. So the program just keep launching itself in the useless hope of
ever finding a shell environment. It took me quite a while to figure this
one out, tried almost everything from changing my COMSPEC variable, editing
the registry, patching some Windows executables and DLLs (the later caused
my system not to be able to boot anymore. Luckily I had a NT Recovery CD
with NTFS4DOS on it, which let me put the original DLLs in place). It
turns out that all you need to do is to patch 2 ActivePerl DLL with a hex
editor to do the trick. This is where is stored the hardcoded call to
cmd.exe that kept haunting me, no matter what change I was applying to my
system. The files that need to be changed are p2x560.dll and
perl56.dll. Make a backup of these files and open them with a hexadecimal
editor. Make a string search for cmd.exe (there's only one instance in
each file), and replace the 'd' character with '_'. Of course, you could
chose another name, but you have to realize that you are limited to a three
characters filename, and that you must change the name evrywhere in the
program so that it matches accordingly. Windows 200 involve one more step
(not covered with the ComLog shareware install pack, to come later), thanks
to Windows File Protection, a feature added in Win2K that lets the system
monitor its system files and replace them with the original version if they
become corrupted or deleted. This feature, which was inexistant on Windows
before, will effectively keep replacing ComLog with the real cmd.exe. This
feature can be disabled with a simple registry tweak on Win2K, a DLL have
to be patched in addition of the tweak on Win2K SP2. Full details on how
to disable Windows File Protection can be found at
http://www.jsifaq.com/SUBK/tip5300/rh5392.htm and
http://www.lanovation.com/support/docs/NT_2000/WFP_2000XP.htm or by typing
'disabling Windows File Protection' on Google.

The last thing is the giveaway that is the banner displayed at the end of
execution when compiled with perl2exe evaluation version. This is why you
may want to download the install pack, it is compiled with a registered
version of perl2exe.

5. To Install

For Win NT4:

1) Download the installation package (free) at
http://securit.iquebec.com/download.html;

or 2) Installing it manually from the source code displayed below.

In the case of 1), simply download the file and execute it on the machine
you want to install it on. This file will copy 2 files in your
\Winnt\System32 directory (cmd.exe, cm_.exe), and will create the directory
\Tutor in \Winnt\Help\. ComLog Log files are stored in \Winnt\Help\Tutor.

In the case of 2), first of all you need a copy of Perl installed, I
suggest ActivePerl from www.activestate.com (it's free) if you don't
already have one. Then you need a hex editor, I suggest XVI32 (also free)
that you can download at
http://download.com.com/3000-2352-7621132.html?tag=lst-0-15. Then, using
the hex editor, you have to edit p2x560.dll and perl56.dll in your
\Perl\bin directory, and change the instance of cmd.exe to cm_.exe. Copy
cmd.exe to cm_.exe in \Winnt\System32. Copy the code presented below and
save it to comlog.pl. Then, using perl2exe, compile comlog.pl, and rename
the resulting comlog.exe to cmd.exe. Then copy this cmd.exe over your
original cmd.exe (keep your cm_.exe, comlog needs it). Finally, create a
directory called \Tutor in \Winnt\Help, for storing the log files. To use,
simply go to a Dos prompt via your preferred way.

For Win2K : The same, except that you first have to disable the Windows
File Protection feature. Look at
http://www.jsifaq.com/SUBK/tip5300/rh5392.htm and
http://www.lanovation.com/support/docs/NT_2000/WFP_2000XP.htm or by typing
'disabling Windows File Protection' on Google for more details about this.

6. Conclusion

So this concludes the documentation accompanying this software. As we have
seen above, ComLog is a tool that can empowers network administrators into
knowing what is going on with the command prompts on their machines, and
can use it to determine the actions of an attacker. Since only what is
going through the command prompt is logged, I think this is not too
intrusive to be placed eventually on every PC on a network, since regular
office employees rarely have a professional reason to justify the use of
the command prompt. ComLog being an emulator, it does show some
shortcomings when compared with the real McCoy, but it should not prevent
its use in most cases. However, fine knowledge of these shortcomings could
help an intruder to determine that he is being watched, and more effort
should be put into improving the program even more. A lot has been done
recently to improve this, such as improving LogAgent to handle these logs
and to make sure that ComLog has a LogAgent-compatible log file storing
strategy, but more could be done to improve concealing. Finally, the
source code is presented in Appendix A, and a sample session is showed as
it appears on the console (Appendix B) and in the history.txt log file
(Appendix C). The code should be easy to read, as I used comprehensive
variable and procedure names, and I made a lot of comments along the code.

Appendix A. Source code
#!D:\dev\perl\bin\perl.exe
# ComLog 1.0

#########################################################################################
# ComLog 1.0 #
# by Floydman floydian_99@yahoo.com #
# Copyright 2002 SecurIT Informatique Inc. http://securit.iquebec.com #
# #
# This program captures the input/output of the Windows NT Command Promt
(cmd.exe). #
# It does so by prentending to be the real prompt and forwarding the
commands to the #
# real (and renamed) cmd.exe. I/O is stored in a random-generated log file
in #
# \WINNT\Help\Tutor.
#########################################################################################

#########################################################################################
# LICENSE #
# This software is Open Source. This means that its source code is open,
free and avai-#
# lable for anyone to look into, make modifications, correct bugs (let me
know, please) #
# and use for personal and commercial use. You can create your own
binaries with #
# perl2exe (www.indigostar.com), or download the install package from #
# securit.iquebec.com/download.html. #
#########################################################################################

#########################################################################################
# Main Program #
# This is the main structure of ComLog. #
# This programs is a loop that will be passed only once if arguments are
passed with #
# ComLog, since it means it was not launched for interactive use. Else,
the loop will #
# go on until the user types 'exit' or breaks otherwhise the program
execution (CTRL-C).#
# The program then presents the prompt to the user, and gets the command
typed at the #
# keyboard. Change of drives or directories are checked for, since ComLog
have to #
# provide these parameters to the real command prompt. Everything is
logged in a #
# random generated filename to allow for multiple instances. Output is
sanitized to #
# hide ComLog's presence. #
#########################################################################################


use Win32;

# Initialization of entrant parameters, current dir, command, exit and
currentdrive
$input = join (' ',@ARGV);
$index = 0;
$currentdir[$index] = '.\\';
$command = '';
$exit = 1;
$currentdrive[$index] = getcurrentdrive ($currentdir[$index]);
$nothing = 1; # nop
$winnt = "Windows NT Version 4.0";
$wintwok = "Microsoft Windows 2000";
$cleanlog = 0; # Set to 0 to keep the local log files, set to 1 to delete
them after the session is done

$history = randomfilename();

open (WINVER, "cm_.exe /C ver |") or die "Can't open pipe";
@header = <WINVER>;
close (WINVER);

$header = join('', @header);

if ($header=~m/$winnt/) {sendoutput ("Microsoft(R) Windows NT(TM)\n(C)
Copyright 1985-1996 Microsoft Corp.\n");}
if ($header=~m/$wintwok/) {sendoutput ("Microsoft Windows 2000 [Version
5.00.2195]\n(C) Copyright 1985-1999 Microsoft Corp.\n");}

# Get the path for the fake prompt
getprompt($currentdrive[$index], $currentdir[$index]);

# If no args are passed, we cancel the $exit marker and launch the prompt
if ($input eq '') {$input = <STDIN>; $exit = 0;}

# Enters in an "interactive" session and will terminate on 'exit', the loop
will run only once if $exit is set to 1
while ($input ne "exit\n")
{
chomp $input;
$cdcommand = 0; $baddir = 0; $baddrive = 0;

SWITCH: {
# If the command starts with 'cd', then it checks if the next character is \
# If it is, then the string replaces the $currentdir. If it does not
start with
# a \, then the string is appended at the end of the path in $currentdir
# If nothing follows the cd command, then the command is put back in $input
# since we modified the string for analysis with the shift command above
$input=~m/^cd/i && do {
@input = split (//,$input);
if ($input[0] eq "c" or $input[0] eq "C") {shift @input;}
if ($input[0] eq "d" or $input[0] eq "D") {shift @input;}
while ($input[0] eq " ") {shift @input;}

if (@input)
{
if ($input[0] eq "\\")
{
$input = join ('',@input);
$direxist = checkdir($currentdrive[$index], "\\", $input);
if ($direxist)
{
$currentdir[$index] = $input;
$cdcommand = 1;
$input = "cd ".$input;
}
else {$cdcommand = 1; $baddir = 1; $input="cd";}
}
else
{
$input = join ('',@input);
$direxist = checkdir($currentdrive[$index],$currentdir[$index],
$input);
if ($direxist)
{
$currentdir[$index] = $currentdir[$index].$input.'\\';
$cdcommand = 1;
$input = "cd ".$input;
}
else
{ $cdcommand = 1; $baddir = 1; $input="cd"; }
}
}
else
{ $input="cd"; }
last SWITCH;
};
# If the command is 'cls', we nullify the command and simulate it from the
perl program
$input=~m/cls/i && do {
system("cls");
sendinput ($input."\n");
$input = "";
last SWITCH;
};
# If the command is to change the drive letter (c:, d:, etc), we set our
variables accordingly
# If it's the first time the drive is accessed, an entry is added in the
table to store it with its current directory
$input=~m/^\w:$/ && do {
$i = 0;
foreach $drive (@currentdrive)
{
if ($currentdrive[$i]=~m/$input/i)
{$index = $i; last SWITCH;}
$i++;
}
if ($index ne $i)
{
$driveexist = checkdrive($input);
if ($driveexist)
{
$index = $i;
$currentdrive[$index] = $input;
$currentdir[$index] = '.\\';
}
else {$baddrive=1; $input = $currentdrive[$index];}
}

last SWITCH;
};
$nothing = 1;
}

# If it is a 'cd' command, then we simply execute a 'cd' command with the
$currentdir path
# If not, then we issue the 'cd' command anyway, as it is needed to
position the summoned instance
# of cm_.exe in the right directory, then we call the command typed at the
prompt
# $command contains the string of the final command to be sent to the real
DOS prompt
if ($cdcommand)
{ $command = "cm_.exe /C ".$currentdrive[$index]." && cd
".$currentdir[$index]; }
else
{ $command = "cm_.exe /C ".$currentdrive[$index]." && cd
".$currentdir[$index]." && ".$input; }

# Writes the input to the history file
sendinput ($input."\n");

# If the command is valid and it's not an empty carriage return, then we
call the command and capture the output

if ($baddir) { sendoutput("The system cannot find the path specified.\n"); }
if ($baddrive) { sendoutput("The system cannot find the drive specified.\n"); }

if ($input ne '')
{
open (COMMANDOUTPUT, $command." |") or die "Can't open pipe";
@output = <COMMANDOUTPUT>;
close (COMMANDOUTPUT);
sendoutput (@output);
}

# If the $exit marker is not set, get the fake prompt
if ($exit) {$input = "exit\n";} else {getprompt($currentdrive[$index],
$currentdir[$index]); $input = <STDIN>;}

} # End of While

# sends the final command (exit) to the history log file
sendinput ($input."\n");

if ($cleanlog) {unlink ($history);}

#End Of Main

#########################################################################################
# procedure getcurrentdrive(currentdir) #
# This procedure gets the drive where is located the current directory. #
#########################################################################################
sub getcurrentdrive
{ my ($dir) = @_;

open (PROMPT, "cd".$dir." && cd |") or die "Can't open pipe";
$prompt = <PROMPT>;
chomp $prompt;
close (PROMPT);

@prompt = split (//,$prompt);
$drive = join ('', ($prompt[0], $prompt[1]));
return ($drive);
}

#########################################################################################
# procedure getprompt(currentdrive, currentdir) #
# This procedure receives the current drive and directory and fakes a
command prompt. #
#########################################################################################
sub getprompt
{ my ($drive, $dir) = @_;

open (PROMPT, $drive."&& cd ".$dir." && cd |") or die "Can't open pipe";
$prompt = <PROMPT>;
chomp $prompt;
close (PROMPT);
sendoutput ("\n".$prompt.">");
}


#########################################################################################
# procedure sendinput(line) #
# This procedure writes the input received into the history file #
#########################################################################################
sub sendinput
{ my (@line) = @_;

$now = localtime;

# Opening of history file
open (HISTORY, ">>".$history) || die "Can't open session log file";
lock HISTORY;
print HISTORY "$now\n";
print HISTORY "@line";
close (HISTORY);
}

#########################################################################################
# procedure sendoutput(output) #
# This procedure writes the output from commands received into the history
file and to #
# the console. It also sanitize the output to conceal the program presence. #
#########################################################################################
sub sendoutput
{ my (@output) = @_;

$now = localtime;

# Opening of history file
open (HISTORY, ">>".$history) || die "Can't open session log file";
lock HISTORY;
print HISTORY "$now\n";
foreach $line (@output)
{
$line=~s/cm_.exe/cmd.exe/i;
if (!(($line=~m/711,342/) || ($line=~m/\w{8}.clg/) || ($line=~m/cm_/)))
{ print "$line";
print HISTORY "$line";
}
}
close (HISTORY);
}

#########################################################################################
# procedure checkdir($drive, $path, $dir) #
# This procedure checks for the existence of a directory before changing to
it. #
#########################################################################################
sub checkdir
{ my ($drive, $dir, $unknown) = @_;

$command = "cm_.exe /C ".$drive." && cd ".$dir." && if exist ".$unknown."
echo OK";

open (COMMANDOUTPUT, $command." |") or die "Can't open pipe";
$output = <COMMANDOUTPUT>;
close (COMMANDOUTPUT);
if ($output eq "OK\n") {return 1;} else {return 0;}
}

#########################################################################################
# procedure checkdrive($drive) #
# This procedure checks for the existence of a drive before changing to it. #
#########################################################################################
sub checkdrive
{ my ($drive) = @_;

opendir (TESTDRIVE, $drive."\\") or return 0;
closedir (TESTDRIVE);
return 1;
}

#########################################################################################
# procedure randomfilename() #
# This procedure generates a random filename for the session log. #
#########################################################################################
sub randomfilename
{
for ($gen=0; $gen<8; $gen++) {$random = int (rand 26)+97; $history =
$history.chr($random);}
$history = $history.".clg";
$history = $ENV{SystemRoot}."/Help/tutor/".$history;
return $history;
}
#EOF


Appendix B. Sample session history (console)
(note: this session history was made with the pre-release version of
ComLog. The same commands would now produce a slightly different result.)

Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.


D:\commandlog>dir
Volume in drive D is D
Volume Serial Number is 0480-D01C


Directory of D:\commandlog


08/04/02 04:35a <DIR> .
08/04/02 04:35a <DIR> ..
08/04/02 04:26a 655,520 cmd.exe
08/04/02 04:20a 8,726 comlog.pl
08/04/02 04:10a 18,433 comlog.txt
05/13/02 02:42p 1,506 command logger.txt
02/11/02 11:47a 971 pseudo code.txt
08/04/02 04:26a 655,520 root.exe
08/04/02 04:28a 583 Shortcut to cmd.exe.lnk
05/30/02 02:04p 35 systempath.txt
07/21/02 03:27p 878 test.txt
13 File(s) 1,557,580 bytes
488,346,112 bytes free


D:\commandlog>echo "There is a copy of cm_.exe and history.txt in here, but
we d
on't see it"


D:\commandlog>echo "That last message didn't echo because it contained the
fobid
den words"
"That last message didn't echo because it contained the fobidden words"


D:\commandlog>cd ..


D:\>dir
Volume in drive D is D
Volume Serial Number is 0480-D01C


Directory of D:\


08/04/02 04:35a <DIR> commandlog
06/25/02 12:57p <DIR> Dev
12/25/00 09:34p <DIR> downloads
08/04/02 04:20a <DIR> Log
08/04/02 04:21a <DIR> LogAgent 2.0
01/02/01 03:57p <DIR> movies
07/24/01 12:59p <DIR> Musique
08/04/02 02:42a <DIR> NONE
06/25/02 01:59p <DIR> NTRESKIT
08/04/02 02:59a 67,108,864 pagefile.sys
05/20/01 06:10a <DIR> Program Files
08/04/02 04:36a <DIR> TEMP
04/30/02 02:33p <DIR> Test
10/15/00 04:06p <DIR> VIRUSES
05/24/02 06:22p <DIR> WINNT
05/24/02 06:22p 92 WINNTdun.bat
16 File(s) 67,109,842 bytes
488,345,088 bytes free


D:\>ipconfig


Windows NT IP Configuration


Ethernet adapter DE5284:


IP Address. . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . : 192.168.0.1


PPP adapter NdisWan3:


IP Address. . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . :


D:\>net share


Share name Resource Remark


-------------------------------------------------------------------------------
IPC$ Remote IPC
C$ C:\ Default share
D$ D:\ Default share
G$ G:\ Default share
Log$ D:\Log
ADMIN$ D:\WINNT Remote Admin
Log D:\Log
The command completed successfully.



D:\>dir \log >> dirlog.txt


D:\>echo "The user see no display because he sent the output to a file"
"The user see no display because he sent the output to a file"


D:\>type dirlog.txt
Volume in drive D is D
Volume Serial Number is 0480-D01C


Directory of D:\log


08/04/02 04:20a <DIR> .
08/04/02 04:20a <DIR> ..
04/30/02 02:37p 3,819 adam.log
09/25/00 08:31p 373 bind.log
05/20/01 05:46a 6,917 getright.log
08/04/02 02:50a 131,546 IAMDB.RDB
09/25/00 08:31p 41 restart.log
08/04/02 04:20a 177 Scan Viruses.lnk
09/25/00 08:31p 36 shutdown.log
09/25/00 08:31p 104 startup.log
04/29/02 02:56p 218 test.bat
04/30/02 02:33p 3,721 test.txt
07/24/01 11:26a 5,553 ZALog.txt
14 File(s) 153,044 bytes
488,340,480 bytes free


D:\>dir
Volume in drive D is D
Volume Serial Number is 0480-D01C


Directory of D:\


08/04/02 04:35a <DIR> commandlog
06/25/02 12:57p <DIR> Dev
08/04/02 04:39a 886 dirlog.txt
12/25/00 09:34p <DIR> downloads
08/04/02 04:20a <DIR> Log
08/04/02 04:21a <DIR> LogAgent 2.0
01/02/01 03:57p <DIR> movies
07/24/01 12:59p <DIR> Musique
08/04/02 02:42a <DIR> NONE
06/25/02 01:59p <DIR> NTRESKIT
08/04/02 02:59a 67,108,864 pagefile.sys
05/20/01 06:10a <DIR> Program Files
08/04/02 04:36a <DIR> TEMP
04/30/02 02:33p <DIR> Test
10/15/00 04:06p <DIR> VIRUSES
05/24/02 06:22p <DIR> WINNT
05/24/02 06:22p 92 WINNTdun.bat
17 File(s) 67,109,842 bytes
488,339,456 bytes free


D:\>cd commandlog


D:\commandlog>dir
Volume in drive D is D
Volume Serial Number is 0480-D01C


Directory of D:\commandlog


08/04/02 04:35a <DIR> .
08/04/02 04:35a <DIR> ..
08/04/02 04:26a 655,520 cmd.exe
08/04/02 04:20a 8,726 comlog.pl
08/04/02 04:10a 18,433 comlog.txt
05/13/02 02:42p 1,506 command logger.txt
02/11/02 11:47a 971 pseudo code.txt
08/04/02 04:26a 655,520 root.exe
08/04/02 04:28a 583 Shortcut to cmd.exe.lnk
05/30/02 02:04p 35 systempath.txt
07/21/02 03:27p 878 test.txt
13 File(s) 1,563,574 bytes
488,338,432 bytes free


D:\commandlog>copy cmd.exe root.exe
1 file(s) copied.


D:\commandlog>exit



Appendix C. Sample session history (history.txt)


Sun Aug 4 04:31:09 2002
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
Sun Aug 4 04:31:09 2002


D:\commandlog>dir
Sun Aug 4 04:31:15 2002
Volume in drive D is D
Volume Serial Number is 0480-D01C


Directory of D:\commandlog


08/04/02 04:31a <DIR> .
08/04/02 04:31a <DIR> ..
08/04/02 04:26a 655,520 cmd.exe
08/04/02 04:20a 8,726 comlog.pl
08/04/02 04:10a 18,433 comlog.txt
05/13/02 02:42p 1,506 command logger.txt
02/11/02 11:47a 971 pseudo code.txt
08/04/02 04:28a 583 Shortcut to cmd.exe.lnk
05/30/02 02:04p 35 systempath.txt
07/21/02 03:27p 878 test.txt
12 File(s) 894,939 bytes
489,010,688 bytes free
Sun Aug 4 04:31:15 2002


D:\commandlog>echo "There is a copy of cm_.exe and history.txt in here, but
we don't see it"
Sun Aug 4 04:32:02 2002
Sun Aug 4 04:32:02 2002


D:\commandlog>echo "That last message didn't echo because it contained the
fobidden words"
Sun Aug 4 04:32:31 2002
"That last message didn't echo because it contained the fobidden words"
Sun Aug 4 04:32:31 2002


D:\commandlog>cd ..
Sun Aug 4 04:32:35 2002
Sun Aug 4 04:32:35 2002


D:\>dir
Sun Aug 4 04:32:36 2002
Volume in drive D is D
Volume Serial Number is 0480-D01C


Directory of D:\


08/04/02 04:31a <DIR> commandlog
06/25/02 12:57p <DIR> Dev
12/25/00 09:34p <DIR> downloads
08/04/02 04:20a <DIR> Log
08/04/02 04:21a <DIR> LogAgent 2.0
01/02/01 03:57p <DIR> movies
07/24/01 12:59p <DIR> Musique
08/04/02 02:42a <DIR> NONE
06/25/02 01:59p <DIR> NTRESKIT
08/04/02 02:59a 67,108,864 pagefile.sys
05/20/01 06:10a <DIR> Program Files
08/04/02 04:31a <DIR> TEMP
04/30/02 02:33p <DIR> Test
10/15/00 04:06p <DIR> VIRUSES
05/24/02 06:22p <DIR> WINNT
05/24/02 06:22p 92 WINNTdun.bat
16 File(s) 67,108,956 bytes
489,009,152 bytes free
Sun Aug 4 04:32:37 2002


D:\>ipconfig
Sun Aug 4 04:32:43 2002



Windows NT IP Configuration




Ethernet adapter DE5284:




IP Address. . . . . . . . . : 192.168.0.1


Subnet Mask . . . . . . . . : 255.255.0.0


Default Gateway . . . . . . : 192.168.0.1



PPP adapter NdisWan3:




IP Address. . . . . . . . . : 0.0.0.0


Subnet Mask . . . . . . . . : 0.0.0.0


Default Gateway . . . . . . :


Sun Aug 4 04:32:43 2002


D:\>net share
Sun Aug 4 04:32:47 2002


Share name Resource Remark



-------------------------------------------------------------------------------
IPC$ Remote IPC
C$ C:\ Default share
D$ D:\ Default share
G$ G:\ Default share
Log$ D:\Log
ADMIN$ D:\WINNT Remote Admin
Log D:\Log
The command completed successfully.



Sun Aug 4 04:32:47 2002


D:\>dir \log >> dirlog.txt
Sun Aug 4 04:33:52 2002
Sun Aug 4 04:33:52 2002


D:\>echo "The user see no display because he sent the output to a file"
Sun Aug 4 04:34:39 2002
"The user see no display because he sent the output to a file"
Sun Aug 4 04:34:39 2002


D:\>type dirlog.txt
Sun Aug 4 04:34:45 2002
Volume in drive D is D
Volume Serial Number is 0480-D01C


Directory of D:\log


08/04/02 04:20a <DIR> .
08/04/02 04:20a <DIR> ..
04/30/02 02:37p 3,819 adam.log
09/25/00 08:31p 373 bind.log
05/20/01 05:46a 6,917 getright.log
08/04/02 02:50a 131,546 IAMDB.RDB
09/25/00 08:31p 41 restart.log
08/04/02 04:20a 177 Scan Viruses.lnk
09/25/00 08:31p 36 shutdown.log
09/25/00 08:31p 104 startup.log
04/29/02 02:56p 218 test.bat
04/30/02 02:33p 3,721 test.txt
07/24/01 11:26a 5,553 ZALog.txt
14 File(s) 153,044 bytes
489,005,568 bytes free
Sun Aug 4 04:34:46 2002


D:\>dir
Sun Aug 4 04:34:51 2002
Volume in drive D is D
Volume Serial Number is 0480-D01C


Directory of D:\


08/04/02 04:31a <DIR> commandlog
06/25/02 12:57p <DIR> Dev
08/04/02 04:33a 886 dirlog.txt
12/25/00 09:34p <DIR> downloads
08/04/02 04:20a <DIR> Log
08/04/02 04:21a <DIR> LogAgent 2.0
01/02/01 03:57p <DIR> movies
07/24/01 12:59p <DIR> Musique
08/04/02 02:42a <DIR> NONE
06/25/02 01:59p <DIR> NTRESKIT
08/04/02 02:59a 67,108,864 pagefile.sys
05/20/01 06:10a <DIR> Program Files
08/04/02 04:31a <DIR> TEMP
04/30/02 02:33p <DIR> Test
10/15/00 04:06p <DIR> VIRUSES
05/24/02 06:22p <DIR> WINNT
05/24/02 06:22p 92 WINNTdun.bat
17 File(s) 67,109,842 bytes
489,004,544 bytes free
Sun Aug 4 04:34:51 2002


D:\>cd commandlog
Sun Aug 4 04:34:57 2002
Sun Aug 4 04:34:57 2002


D:\commandlog>dir
Sun Aug 4 04:34:59 2002
Volume in drive D is D
Volume Serial Number is 0480-D01C


Directory of D:\commandlog


08/04/02 04:31a <DIR> .
08/04/02 04:31a <DIR> ..
08/04/02 04:26a 655,520 cmd.exe
08/04/02 04:20a 8,726 comlog.pl
08/04/02 04:10a 18,433 comlog.txt
05/13/02 02:42p 1,506 command logger.txt
02/11/02 11:47a 971 pseudo code.txt
08/04/02 04:28a 583 Shortcut to cmd.exe.lnk
05/30/02 02:04p 35 systempath.txt
07/21/02 03:27p 878 test.txt
12 File(s) 900,833 bytes
489,003,520 bytes free
Sun Aug 4 04:34:59 2002


D:\commandlog>copy cmd.exe root.exe
Sun Aug 4 04:35:44 2002
1 file(s) copied.
Sun Aug 4 04:35:44 2002


D:\commandlog>exit
Sun Aug 4 04:35:50 2002

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close